maybe chmod 0755 './bash_completion.d'
maybe chown named './bind'
maybe chmod 0755 './bind'
+maybe chgrp named './bind/._cfg0000_bind.keys'
+maybe chmod 0640 './bind/._cfg0000_bind.keys'
+maybe chgrp named './bind/._cfg0000_named.conf'
+maybe chmod 0640 './bind/._cfg0000_named.conf'
maybe chgrp named './bind/bind.keys'
maybe chmod 0640 './bind/bind.keys'
maybe chmod 0644 './bind/named-acl.conf'
maybe chmod 0644 './openldap/schema/samba.schema'
maybe chgrp ldap './openldap/slapd.conf'
maybe chmod 0640 './openldap/slapd.conf'
-maybe chmod 0600 './openldap/slapd.conf.default'
+maybe chgrp ldap './openldap/slapd.conf.default'
+maybe chmod 0640 './openldap/slapd.conf.default'
maybe chmod 0600 './openldap/slapd.ldif'
maybe chmod 0600 './openldap/slapd.ldif.default'
maybe chmod 0755 './openldap/ssl'
--- /dev/null
+/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9. As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options. To use the built-in DLV key, set
+# "dnssec-lookaside auto;". Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of January 2011. If any key fails to
+# initialize correctly, it may have expired. In that event you should
+# replace this file with a current version. The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+ # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+ # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+ # in named.conf.
+ dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+ TDN0YUuWrBNh";
+
+ # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+ # for current trust anchor information.
+ # NOTE: This key is activated by setting "dnssec-validation auto;"
+ # in named.conf.
+ . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+ QxA+Uk1ihz0=";
+};
--- /dev/null
+/*
+ * Refer to the named.conf(5) and named(8) man pages, and the documentation
+ * in /usr/share/doc/bind-9 for more details.
+ * Online versions of the documentation can be found here:
+ * http://www.isc.org/software/bind/documentation
+ *
+ * If you are going to set up an authoritative server, make sure you
+ * understand the hairy details of how DNS works. Even with simple mistakes,
+ * you can break connectivity for affected parties, or cause huge amounts of
+ * useless Internet traffic.
+ */
+
+acl "xfer" {
+ /* Deny transfers by default except for the listed hosts.
+ * If we have other name servers, place them here.
+ */
+ none;
+};
+
+/*
+ * You might put in here some ips which are allowed to use the cache or
+ * recursive queries
+ */
+acl "trusted" {
+ 127.0.0.0/8;
+ ::1/128;
+};
+
+options {
+ directory "/var/bind";
+ pid-file "/var/run/named/named.pid";
+
+ /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
+ //bindkeys-file "/etc/bind/bind.keys";
+
+ listen-on-v6 { ::1; };
+ listen-on { 127.0.0.1; };
+
+ allow-query {
+ /*
+ * Accept queries from our "trusted" ACL. We will
+ * allow anyone to query our master zones below.
+ * This prevents us from becoming a free DNS server
+ * to the masses.
+ */
+ trusted;
+ };
+
+ allow-query-cache {
+ /* Use the cache for the "trusted" ACL. */
+ trusted;
+ };
+
+ allow-recursion {
+ /* Only trusted addresses are allowed to use recursion. */
+ trusted;
+ };
+
+ allow-transfer {
+ /* Zone tranfers are denied by default. */
+ none;
+ };
+
+ allow-update {
+ /* Don't allow updates, e.g. via nsupdate. */
+ none;
+ };
+
+ /*
+ * If you've got a DNS server around at your upstream provider, enter its
+ * IP address here, and enable the line below. This will make you benefit
+ * from its cache, thus reduce overall DNS traffic in the Internet.
+ *
+ * Uncomment the following lines to turn on DNS forwarding, and change
+ * and/or update the forwarding ip address(es):
+ */
+/*
+ forward first;
+ forwarders {
+ // 123.123.123.123; // Your ISP NS
+ // 124.124.124.124; // Your ISP NS
+ // 4.2.2.1; // Level3 Public DNS
+ // 4.2.2.2; // Level3 Public DNS
+ 8.8.8.8; // Google Open DNS
+ 8.8.4.4; // Google Open DNS
+ };
+
+*/
+
+ //dnssec-enable yes;
+ //dnssec-validation yes;
+
+ /*
+ * As of bind 9.8.0:
+ * "If the root key provided has expired,
+ * named will log the expiration and validation will not work."
+ */
+ //dnssec-validation auto;
+
+ /* if you have problems and are behind a firewall: */
+ //query-source address * port 53;
+};
+
+/*
+logging {
+ channel default_log {
+ file "/var/log/named/named.log" versions 5 size 50M;
+ print-time yes;
+ print-severity yes;
+ print-category yes;
+ };
+
+ category default { default_log; };
+ category general { default_log; };
+};
+*/
+
+include "/etc/bind/rndc.key";
+controls {
+ inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
+};
+
+zone "." in {
+ type hint;
+ file "/var/bind/root.cache";
+};
+
+zone "localhost" IN {
+ type master;
+ file "pri/localhost.zone";
+ notify no;
+};
+
+zone "127.in-addr.arpa" IN {
+ type master;
+ file "pri/127.zone";
+ notify no;
+};
+
+/*
+ * Briefly, a zone which has been declared delegation-only will be effectively
+ * limited to containing NS RRs for subdomains, but no actual data beyond its
+ * own apex (for example, its SOA RR and apex NS RRset). This can be used to
+ * filter out "wildcard" or "synthesized" data from NAT boxes or from
+ * authoritative name servers whose undelegated (in-zone) data is of no
+ * interest.
+ * See http://www.isc.org/software/bind/delegation-only for more info
+ */
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+//zone "YOUR-DOMAIN.TLD" {
+// type master;
+// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
+// allow-query { any; };
+// allow-transfer { xfer; };
+//};
+
+//zone "YOUR-SLAVE.TLD" {
+// type slave;
+// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
+// masters { <MASTER>; };
+
+ /* Anybody is allowed to query but transfer should be controlled by the master. */
+// allow-query { any; };
+// allow-transfer { none; };
+
+ /* The master should be the only one who notifies the slaves, shouldn't it? */
+// allow-notify { <MASTER>; };
+// notify no;
+//};
projects / config / uhu1 / etc.git / commitdiff